Keep Your Cyber-hands to Yourself: EMR and Health IT Security is Essential

“Another medical bill?” I thought as I saw an envelope sitting on top of the mail pile with the logo of the health care system I use. “I know I already paid this….”

Irritated, I opened the envelope, envisioning the phone calls, canceled checks and other hoops I’d have to jump through to prove the bill had been paid. Well, was I in for a surprise. The letter inside had nothing to do with medical bills. No, it was to inform me that my personal information including my name, address, social security number, physician name, medical record number and health insurance information may have been compromised. This makes me part of the second largest HIPPA data breach to date.

On July 15, an administrative office at Illinois’ largest health care system, Advocate Health Care, was burglarized and four password protected computers were stolen. If that is not unfortunate enough, the four computers were unencrypted. A police investigation is underway and, on Aug. 23, the system began sending letters regarding the incident to patients – like me – whose data may have been compromised by the theft. There are about 4 million of us since the computers contain information going back to the 1990s. We’re being offered a free one-year membership to an identity protection service. On Sept. 6, two plaintiffs representing patients filed a class-action lawsuit against the health system.

This is not Advocate’s first experience with a data breach. In 2009, 812 patient’s records were compromised when an employee’s unencrypted laptop was stolen. They are also not alone in data breaches. Howard University, the Utah Department of Health and TRICARE have all experienced data breaches.

The concept of HIPPA violations has been drilled into clinicians heads for the past decade or so. Don’t give out information about a patient over the phone unless you have written permission. Don’t discuss patients or their care in public places. Don’t release medical records unless you have the proper paperwork to do so. Privacy is such a big concern that it sometimes impedes the other P in HIPPA—portability.

While clinicians have been indoctrinated to withhold information from those nosy neighbors or estranged siblings, it seems that physically securing the data when it is stored electronically is a challenge. Learning from others’ mistakes, or your own in the case of Advocate, seems to be slow-going.

Is it because health care is adopting EMR and Health IT at such a rapid pace that implementing and securing technology is overwhelming? Or is cyber-theft unavoidable in our technology-laden world? It’s not just health care companies that have experienced theft of clients’ personal information. Companies like Coca-Cola, NASDAQ and 7-11 have also fallen prey to hackers. Is it a given that there’s someone out there with the skills to outsmart or circumvent any security measure?

I’m not sure of the answers to those questions. I do know there needs to be a serious effort to learn from mistakes. For example, if you had a data breach because a computer was not encrypted, you should probably make data encryption a priority. There are resources out there to provide direction regarding health information privacy.

Sometimes things that are unavoidable happen, but it’s better to try to stay a head of a game and keep your patients’ personal information safe. It’s very much like the safety measures you take at home. Someone can always break in but it’s going to more difficult for them to do it if you lock your doors and windows or have an alarm system.

Jennifer Thew, RN, MSJ

Jennifer Thew, RN, MSJ, is a registered nurse and journalist who has covered healthcare issues and how they relate to the nursing profession. She began her nursing career as a neuroscience nurse at Rush University Medical Center in Chicago and then transitioned to journalism after receiving a degree from Roosevelt University in Chicago. She has edited and written numerous articles on a wide range of nursing and healthcare topics like Accountable Care Organizations, evidence-based practice and telehealth.

Get the HealthStandards.com monthly newsletter

Email*

Phone

This field is for validation purposes and should be left unchanged.

Steve Decker

Personal patient information is so important – it absolutely must be protected as rigorously as possible with a product that is compliant with HIPPA privacy and security rules (here is an article about these rules http://www.koolspan.com/blog/weekly-word-hipaa/). And, this applies not only to patient records stored on hard drives but also to SMS messages to other healthcare providers or pharmacies.

Connect

#HITSM Chat

Moderated by Chad Johnson, @OchoTex, HealthStandards.com Editor and Corepoint Health Senior Marketing Manager. November 18th will be the last #HITsm chat under @HealthStandards. Celebrate ‘Passing the #HITsm torch’ to @techguy @HealthcareScene.

The first #HITsm tweet chat was held almost six years ago on Jan 10, 2011. Since that time, we have hosted approximately 280 #HITsm chats. While some of you may have participated in that very first chat (only 15 actually participated), I’m proud to say that the chats and the community have continued to grow […]

Podcasts

Artificial intelligence is a topic that isn’t going away in the health IT and medical community. One reason it’s come as far as it has is thanks to open sourcing, or shared data. Today’s guest, Fred Trotter, has a lot to say about the Vice President’s Cancer Moonshot initiative – which he was recognized for […]